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Abstract: 

This report deals with security in wireless sensor networks (WSNs), especially in network layer. Multiple 
secure routing protocols have been proposed in the literature. However, they often use the cryptography to 
secure routing functionalities. The cryptography alone is not enough to defend against multiple attacks due to 
the node compromise. Therefore, we need more algorithmic solutions. 

In this report, we focus on the behavior of routing protocols to determine which properties make them more 
resilient to attacks. Our aim is to find some answers to the following questions. Are there any existing protocols, 
not designed initially for security, but which already contain some inherently resilient properties against attacks 
under which some portion of the network nodes is compromised? If yes, which specific behaviors are making 
these protocols more resilient? 

We propose in this report an overview of security strategies for WSNs in general, including existing attacks 
and defensive measures. In this report we focus at the network layer in particular, and an analysis of the behavior 
of four particular routing protocols is provided to determine their inherent resiliency to insider attacks. The 
protocols considered are: Dynamic Source Routing (DSR), Gradient-Based Routing (GBR), Greedy Forwarding 
(GF) and Random Walk Routing (RWR). 

Key-words: security, wireless sensor networks, survey, resiliency, attacks. 
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Protocoles de communication resilients pour les reseaux de capteurs 

sans fil 



Resume : 

Dans ce rapport nous traitons la securite dans les reseaux de capteurs sans fils (WSNs), plus particulierement 
a la couche reseau. Dans la litterature, nombreuses propositions tentent de resoudre ces problemes de securite, en 
utilisant notamment la cryptographic Cette derniere permet de resoudre les problemes classiques d'authenticite, 
de confidentialite et d'integrite de donnees. Ainsi, la cryptographie permet d'obtenir une securite de base, mais 
ne permet pas de se premunir contre les attaques internes quand une partie des noeuds simples sont corrompus. 
Par consequent, nous avons besoin des solutions algorithmiques pour completer. 

Notre objectif est de trouver des reponses aux questions suivantes. Existent-ils, les protocoles non congus 
initialement pour la securite, mais qui contiennent deja certaines proprietes intrinsequement resilients contre les 
attaques internes? Si oui, quels comportements specifiques les rendent plus resilient? 

Ce travail donnera lieu a deux contributions : i) tout d'abord un survol des strategies de securite en general 
dans WSNs et au couche reseau (modele OSI) en particulier, puis ii) une etude sur le comportement de protocoles 
de routage dans les reseaux de capteurs soumis a des attaques reseaux. Les protocoles consideres sont: Dynamic 
Source Routing (DSR), Gradient-Based Routing (GBR), Greedy Forwarding (GF) et Random Walk Routing 
(RWR). 

Mots-cles : securite, reseaux de capteurs, attaques, survol, resilience. 
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1 Introduction 

Wireless sensor networks (WSNs) are composed of a large number of low cost and low power, multifunctional 
sensor nodes (Fig. ^ communicating at short distance. These sensor nodes are densely deployed to collect 
and transmit data from physical world to one or more destination nodes called "sink" in an autonomous way 
(Fig. [!}. WSNs have a wide range of applications such as industrial control, supervising and monitoring, home 
automation, military applications, detection of environmental parameters, and medical monitoring [3]. WSNs 
have multiple advantages such as rapid deployment, cheap, self organized and fault-tolerant. 



WSNs are closer to Ad-hoc networks. They share some common points such as radio communication, 
decentralized, self-organized and self-configured architecture. Ad-hoc networks are considered to have limited 
resources, while WSNs have more resource limitations, including a strong energy constraint. Ad-hoc networks 
utilize point-to-point ("any-to-any") traffic profile, while WSNs use usually convergecast ("many to one") traffic 
profile. We describe these WSNs characteristics as follow: 

• Traffic profile 

— Many-to-one: multiple sensor nodes send their sensed data to the sink node. In the presence of 
several sink nodes, traffic profile is "many-to-few". 

— One-to-many: the sink node floods control or query information to other sensor nodes. If there are 
several sink nodes, traffic is "few-to-many". 

— One-to-any: the sink node can query a specific sensor node. 

— Any-to-one: a sensor node can send data to the sink node. 

• Hardware constraints 




Figure 1: Sensor networks 
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Limited memory and limited computing power: A sensor is a tiny device with only a small amount 
of memory and computing power. For example, the common sensor type MICAZ has only 4KB of 
RAM, 128KB of ROM, 512KB of flash memory and the processor 8 MHz - Atmel AVR Atmega. 

Limited power source: A sensor node can only be equipped with a limited battery (<1,5 Ah, 1,2V) 
[3] . Because changing batteries in a large number of nodes (of the order of hundreds to thousands) 
is impractical, sensor node lifetime shows a strong dependency on battery lifetime. 

Limited power of emission: Because individual sensor nodes have limited radio emission capabilities, 
accomplishing the network goal often depends on local cooperation by using multi-hop routing. 




Figure 2: Sensor node 



• Environment 

Depending on the applications, sensor nodes are frequently deployed in open and hostile geographic areas, 
unlike a traditional network system in a secure building. They can be deployed in many different ways, 
from randomly dropping them from a plane or a helicopter, to carefully positioning them one by one |71) . 

• Communication media 

Sensor nodes are linked by a wireless medium, generally, radio communication. Though infrared or optical 
media |3] can also be considered as alternatives, both require a line of sight between the sender and receiver, 
which is impractical for WSNs. 

• Topology 

A large number of sensor nodes densely and randomly deployed throughout the sensor field, requires 
careful handling of topology maintenance. The number of sensor nodes may be of about hundreds or 
thousands. Depending on the application, the number may reach an extreme value of millions jj]. The 
node densities may be as high as 20 nodes/m 3 [3]. The position of sensor nodes is not engineered or 
predetermined. Topology may change often due to appearance and disappearance of nodes caused by the 
lack of power, physical damage or environmental interference. Additional sensors can be redeployed at 
any time. 

Security techniques used in traditional network systems cannot be applied directly in WSNs. First, sensors 
have to be cheap, thus sensors have limited resources (memory, energy, computation power etc.). Second, sensors 
deployed in an open and hostile environment presenting risks of physical attacks. 

Due to open wireless medium, a passive attacker can eavesdrop communications and an active attacker can 
alter, replay, and replicate messages. Thus, the confidentiality and the integrity are required. The availability 
is also required against denial of service (DoS) attacks such as jamming, collisions, exhaustions, etc. Due to 
unattended devices in open and hostile environments, an adversary can compromise nodes, clone, move nodes, 
modify software/hardware. Thus, authentication is required. 

The node compromise is the major problem of security in WSNs, which allows an adversary to enter inside 
the perimeter of security, by extracting sensitive information such as encryption keys, identity, address etc. 
Subsequently, an adversary can change software/hardware to his own needs: they can produce internal attacks 
such as Sybil attacks, node replication or Black-Grey- Worm-Sink holes. 

Multiple secure routing protocols have been proposed in the literature [5T] [25] [BDJ [55] . However, even if 
they often use cryptography to secure routing functionalities, these mechanisms are not relevant against the 
aforementioned internal attacks stemming from node compromise. Malicious internal nodes can introduce false 
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topological, control, neighborhood, routing information or simply not forward messages. To our knowledge 
there is not much literature in analyzing routing protocols to determine whether they possess inherent resilient 
properties to defend against internal attacks, even though they were not initially designed for security. We 
analyze the resiliency of existing routing protocols in order to emphasize and to augment them by appropriate 
protocol design focusing on "beyond cryptography" approaches. 

1.1 Report outline 

The remainder of this report is organized along the following lines. In [5] an overview of security issues for 
WSNs, including existing attacks and defensive measures in 12. 11 and security issues of the network layer in 12.21 
Therefore, in[3J we explain our approach to the security of routing protocols including a classification of routing 
protocols and adversary models. Finally, in [4[ we present our simulation results and an analysis of behavior of 
four particular routing protocols to determine their resiliency against attacks. 

2 Related work 

Compared with other wireless networks such as, for instance, ad-hoc networks and wireless LANs, security 
in WSNs is more complex because of resource constraints such as limited energy, memory and computational 
power. 

2.1 Attacks and defensive measures 

2.1.1 Ontology 

According to Wikipedia, 

"In computer science and information science, an ontology is a formal representation of a set of concepts 
within a domain and the relationships between those concepts. It is used to reason about the properties of that 
domain, and may be used to define the domain. 

In theory, an ontology is a "formal, explicit specification of a shared conceptualization". An ontology provides 
a shared vocabulary, which can be used to model a domain - that is, the type of objects and/or concepts that 
exist, and their properties and relations." 

With this in mind, Znaidi et al. proposed in |88j an ontology for attacks in WSNs, composed by four main 
classes; intention, movement, target and result. 

The authors identified five different "intentions" such as passive eavesdropping, disruption of communication 
by destroying links, causing unfairness by exhausting available resources (such as bandwidth, energy, battery, 
etc.), to be authenticated by obtaining access to the network services, and finally, to be authorized by compro- 
mising secret information, like for example encryption keys to decrypt messages. 

"Movement" describes the way the attacker reaches one or many of the aforementioned intentions. Technical 
capabilities of an adversary can be more sophisticated, for example, using a laptop to apply efficient tampering 
techniques to extract data from sensors. One or many adversary entities can collude to launch a successful attack. 
Resource constraints or design vulnerabilities in layered network architecture can be exploited by adversaries. 

In WSNs, all system resources and network services are potential "targets" for the adversaries. A "target" 
can be physical or logical. For example, physical targets can be to destroy the sensor, damage its radio, remove 
batteries, etc. Examples of logical targets are damaging internal services such as power management, connection 
between layers, etc., or damaging provided services such as time synchronization, key management, etc. 

The authors defined three categories to describe the "result". Adversaries can produce only passive damage 
if an attack can be stopped by some preventive mechanism, partial degradation if a service breaks in one part 
of the WSN, or broken service for the entire network. 

2.1.2 Hardware attacks 

Node compromise is the major problem of security in WSNs. Node compromise allows the adversary to enter 
inside the perimeter of security. 

Because of open and hostile environment deployment, adversaries can easily capture sensor nodes or cause 
physical damages. Tampering is the well known attack on hardware components of a sensor node that involves 
modification of its internal structure, allowing an adversary to extract sensitive information such as encryption 
keys shared between nodes, or even changing the device program to his own needs. Hardware constraints of 
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sensor nodes may facilitate this kind of attacks. However, we should be alert to the technological advancement 
in the field of tamper-resistance. 

The attack via the JTAG interface is described in [§]. JTAG (Joint Test Action Group) is the interface used 
for component testing, such as Test Access Port (TAP) and as shown it can allow an adversary to gain full 
control of a sensor node. They described the attack exploiting the Bootstrap Loader (BSL), where the adversary 
could read and write on the microcontroller memory. Another simple form of attack is eavesdropping exchanged 
data on the conductor wires connecting the external memory such as EEPROM and the microcontroller; this 
enables an adversary to read all transferred valuable data. 

Furthermore, adversaries can replicate sensor nodes with the intention to introduce malicious ones. They 
can also use sensor detection equipment to locate legitimate active sensors and destroy them. 

Defensive measures 

Each sensor node can be protected against physical hardware-level attacks by improving its hardware, or by 
using algorithmic solutions. 

Using tamper-resistant hardware, we can protect each sensor node to make sensitive data in its memory 
inaccessible. In [5], the authors propose to disable the JTAG interface or use a good password for the bootstrap 
loader. Another possible technique is to use special software and hardware outside the sensor to detect physical 
tampering. Yet an other technique is to use self-termination where a sensor node kills itself, destroys its data 
and keys when it senses a possible attack. 

The algorithmic approach consists in using techniques, such as neighborhood checking, location verification 
and resilient routing against node compromise. The location based technique consists in making sure the 
location claims are legitimate. Several researchers have designed routing protocols that achieve some resiliency 
against node capture by sending every packet along multiple, independent paths and checking at the destination 
for consistency among the packets that were received [54] . Against attackers with sensor detecting equipment, 
sensor nodes can work in cooperation by detecting the attacker and prevent other nodes to switch their states 

Effl. 

Chen, et al. proposed to estimate the probability of node compromise in WSNs. The nodes which are close 
to enemy controlled area may have larger probability to be compromised than the nodes which are far away 
from enemy controlled area. They describe intelligent models, where a system should have a mechanism to 
know and record the node compromise events and use current node compromise events to estimate future node 
compromise accurately. 

The following sections summarize existing attacks and defensive measures following the layered network 
architecture of the OSI model. It is shown that each layer is susceptible to different attacks. 

2.1.3 Physical layer 

The physical layer is responsible for frequency selection, carrier frequency generation, signal detection, modu- 
lation, and data encryption [4]. 

• Sniffing, traffic analysis and message corruption. 

Because of radio communication nature, an adversary with powerful resources can collect information from 
sensor nodes if not encrypted. Even if the message transfer is encrypted, they can still acquire enough 
information to prepare and cause damages. An active attacker can modify the content of message to 
compromise the integrity. 

Defensive measures 

Different cryptographic methods can be used to defend against this kind of attacks. 

• Jamming 

Jamming is a denial-of-service attack, based on the transmission of a radio signal that interferes with the 
radio frequencies used by the sensor network. Different jamming strategies presented in |77| : 

— Constant jamming: emitting continuously a radio signal. 

— Deceptive jamming: instead of sending out random bits, the deceptive jammer constantly injects 
regular packets to the channel without any gap between successive packet transmissions. 
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— Random jamming: instead of continuously sending out a radio signal, a random jammer alternates 
between sleeping and jamming with the intention of evading detection. 

— Reactive jamming: the jammer will transmit only when it senses channel activity and will stay quiet 
when the channel is idle. 

Instead of jamming the whole frequency band, an adversary can simply jam the control channel, which is 
a highly energy efficient and effective jamming strategy. 

Defensive measures 

The standard defense against jamming is using spread-spectrum communication schemes such as frequency 
hopping spread or direct sequence code spreading. To attack frequency hopping, jammers must be able 
to follow the precise hopping sequence or jam a wide enough section of the band |72) . 

For the case when attackers jam the broadcast control channel [TS] proposes a defensive measure using 
a technique based on binary trees. Each emitter constructs a binary tree based on randomly chosen 
frequencies. The emitter gives to all receivers the frequency corresponding to the leaf of the tree and those 
of its ancestors. Later the emitter sends two messages simultaneously on two different channels. Jamming 
is detected when a receiver received the first message and not the second one. 

A cryptographic approach can be used [5] by introducing key assignment to have i-resiliency against control 
channel jamming. Another method proposed in |63| is to use random key assignment. If each node has a 
key, compromising a single node can not affect others, but we require a large number of channels. From 
this idea they claim that for the key assignment we have to balance the trade-off between the number of 
channels and the robustness against jamming. 

Other techniques such as channel surfing and spatial retreats are discussed in [75]. Channel surfing is 
a form of spectral evasion that involves legitimate wireless devices changing the channel that they are 
operating on. Spatial retreats are a form of spatial evasion whereby legitimate mobile devices move away 
from the locality of the jamming emitter. 

The technique presented in [73] is more of a network layer defense, where sensor nodes may collaboratively 
map a jammed region and isolate it from the rest of the network. Upon detecting local jamming, nodes 
blindly report it to their neighbors. Receivers outside the jamming form groups and exchange mapping 
messages. Groups are coalesced to yield a mapped region. 

2.1.4 Link layer 

The data link layer is responsible for the multiplexing of data streams, data frame detection, medium access 
and error control 0]. The MAC (Media Access Control) layer provides channel arbitration for neighbor to 
neighbor communication. Cooperative schemes, that rely on carrier sense, let nodes detect if other nodes are 
transmitting. 

• Collisions 



Attackers may simply intentionally violate the communication protocol, and continuously transmit mes- 
sages in order to make interference to generate collisions. To be more effective they can send their own 
signal when they hear that a legitimate node will transmit. Such collisions would require the retransmis- 
sion of any packet affected by the collision. In theory, causing collisions in only one byte is enough to 
create a CRC error and to cripple the message. The advantage of a collision attack compared to a jamming 
attack is the short power energy consumed and the difficulty to detect it. Corrupted ACK control message 
could induce costly exponential back-off in some MAC protocols. 

Defensive measures 

All countermeasures that can be used against jamming attack can be applied to collision attacks. Another 
method is to use error correcting codes [88] . which are efficient in situation where errors occur on a limited 
number of bytes but this solution presents also an expensive communication overhead and additional 
processing. 

A method for detecting the MAC layer DoS attacks in a CSMA/CA network is proposed in [66], based 
on calculating the probability that the collisions in the network can be explained by simple observation 
of the events in the network. This technique, based on the M-truncated sequential Kolmogorov-Smirnov 
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statistics, monitors the successful transmissions and the collisions of the terminals in the network, and 
determines how explainable the collisions are given for such observations. 

• Exhaustion 

Exhaustion attacks consist in introducing collision and force the sensor node to retransmit continuously 
until exhaustion of battery resources. In [55], the attacks in IEEE 802.11 are described, which consist in 
violating of the algorithm BEB (Binary Exponential Backoff), manipulation of parameters such as SIFS, 
DIFS, EIFS and manipulation of control packets such as RTS (Ready- To-Send), CTS (Clear- To-Send) in 
order to disturb policy of access to the channel. The adversary can repetitively request channel access with 
RTS, eliciting a CTS response from targeted neighbor until exhaustion of its resources (virtual jamming). 

Defensive measures 

Most solutions proposed in the literature are trying to reduce the impact of this attack and not to eliminate 
definitely. One possible defensive measure is to limit the MAC admission control rate and so the sensor 
network can ignore excessive requests from adversary and prevent energy loss. Another technique is to 
allow for each sensor node a small slot of time to access to the channel and transmit data, so it limits the 
possibility of long use of the MAC channel. 

• Link layer jamming 

A link-layer jamming attack is presented in [80]. The adversary tries to find a data packet and jam 
it. However, as packets are generated spontaneously it becomes increasingly difficult for an adversary 
to predict data packet arrival times. To resolve this difficulty the adversary can look at the probability 
distribution of the inter-arrival times between all types of packets. This attack can be applied to different 
MAC protocols such as S-MAC, B-MAC and L-MAC. 

Defensive measures 

Some defensive measures against link-layer jamming are discussed in [80]. In the case of S-MAC, the 
solution is to prevent clustering based analysis from being feasible by narrowing the distance between the 
two clusters. In the case of L-MAC, a partial solution is to make the estimation of the clusters more 
difficult by using pseudo-random function of time to change the slot sizes of packet. For example, a sensor 
node can change its packet slot size every second by picking a random value from a range. For the B-MAC, 
the solution is to shorten the preamble in order to make its detection harder. 

2.1.5 Routing layer 

Network layer is responsible for addressing, neighborhood discovering and routing. As WSNs are envisaged to 
use multi-hop communication, messages may traverse many hops before reaching their destination. The attacks 
on routing layer are summarized in |35| . 

• Sybil attacks 

Newsome et al. describe in [19] the Sybil attack in the context of WSNs. The Sybil attack is defined 
as a malicious device illegitimately taking on multiple identities (Fig. [3]). The malicious nodes can fill 
their neighbors' memories with non existing neighbors. The Sybil attack is also effective against routing 
algorithms, data aggregation, and resource allocation. 

Defensive measures 

To defend against Sybil attack the network needs some mechanism to validate that a particular identity 
is the only identity being held by a given physical node. In [35] two methods to validate identities are 
described for direct and indirect validation. In direct validation a trusted node directly tests whether the 
joining identity is valid. In indirect validation, another trusted node is allowed to vouch for or against 
the validity of a joining node. Newsome et al. primarily describe direct validation techniques, including a 
radio resource test. In the radio test, a node assigns each of its neighbors a different channel on which to 
communicate. The node then randomly chooses a channel and listens. If the node detects a transmission 
on the channel it is assumed that the node transmitting on the channel is a physical node. Similarly, if the 
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node does not detect a transmission on the specified channel, the node assumes that the identity assigned 
to the channel is not a physical identity. 

Another technique to defend against the Sybil attack discussed in |70| is to use random key pre-distribution 
techniques. The idea behind this technique is that with a limited number of keys, a node that randomly 
generates identities will not possess enough keys to take on multiple identities and thus will be unable to 
exchange messages on the network due to the fact that the invalid identity will be unable to encrypt or 
decrypt messages. 



• Node replication 

An adversary may capture nodes, analyze and replicate them, and insert these replicas at strategic loca- 
tions in the network (Fig. [4]). Such attacks may have severe consequences; they may allow the adversary 
to corrupt network data or even disconnect significant parts of the network |52| . 

Defensive measures 

Defenses against node replication attacks can be distinguished into centralized and distributed approaches. 
In a centralized approach each node will send to a base station a list of its neighbors together with a 
location. The base station verifies that no node is in two locations at the same time. The two main 
inconveniences is the existence of a single point of failure (i.e. the base station) and the need to have a 
permanently present base station. 

In the distributed approach, instead of using a central base station, we could rely on a node's neighbors 
to perform replication detection. Using a voting mechanism, the neighbors can reach a consensus on the 
legitimacy of a given node. In node-to-network broadcast approach, each node broadcasts to the whole 
network a signed location claim and stores the location claims of its d neighbors. If it receives a signed 
location claim conflicting with one of its neighbors it broadcasts to the whole network a revocation proof 
containing the conflicting claims. If n represents the number of nodes and d the number of witnesses, in 
this case the communication cost is 0(n) and memory usage is 0(d). 

In a deterministic multicast approach, there is a public deterministic function F that for each node i 
outputs a set of witness nodes F(i) |45| . Communication cost is 0(dXlndXnX^/n) and memory usage is 



In |52| the authors propose two distributed algorithms: randomized multicast and line-selected multicast. 
Randomized multicast improves upon the security of deterministic multicast by randomly choosing the 
witnesses. The birthday paradox suggests that there will be at least one collision. Communication cost is 
0(n) and memory usage is 0(^/ri). 

The line-selected multicast algorithm seeks to reduce the communication costs by choosing as witnesses 
intermediate nodes between source and destination. In the protocols proposed in [32] the nodes detect 
replication passively. If there is a replicated node, a witness will (passively) receive two conflicting locations 
claims and use them to ban the replicas. Communication cost is 0(y/n) and memory usage is 0(y/n). 

A novel active approach is proposed in [45] . The idea is that each node will actively test if d other random 
nodes are replicated or not (called scrutinized nodes). The active approach needs a constant number of 
scrutinized nodes per node so memory usage per node is O(l) and communication costs 0(\fn). 

• Selective forwarding 




Q 



Figure 3: Sybil attack. 



0{d). 
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Figure 4: Node replication attack. 



In multi-hop routing, messages may traverse many hops before reaching their destination. In a selective 
forwarding attack, malicious nodes simply drop some of the messages instead of forwarding all of them 
(Fig. [S]). One example of such attack is the black hole attack where the attacker decides to drop all 
messages. To increase effectiveness of such attacks, attackers will try to put malicious nodes close to base 
stations to attract more traffic. 

Defensive measures 

One possible solution is to use traffic monitoring to ensure that neighbor nodes forward the messages. In 
|44| . the authors propose to use a Watchdog scheme that identifies selfish nodes and a Pathrater scheme 
that helps routing protocols avoid such nodes. The Watchdog scheme is further extended by a Reputation 
based scheme, [JS], where the neighbors of any single node collectively rate the node according to how 
well the node executes the functions requested upon it. 

Another possible way is to use of multi-path routing [55]. These defenses may decrease the probability 
that a message will encounter an adversary along all routes. In |59j the authors analyze single path and 
multipath routing where deterministic and probabilistic selection mechanisms are used. They show that 
multi-path routing protocols have better end-to-end packet delivery than single path routing. However, 
as expected multi-path routing consumes much more energy than the single path routing. 



Bnp m • •• • 




Figure 5: Selective forwarding attack. 



• Sinkhole attacks 



In sinkhole attacks, an adversary attracts the traffic to a compromised node. To create a sinkhole the 
attacker can place a malicious node closer to the sink to attract most of the traffic (Fig. [5]). After successful 
sinkhole attacks, adversaries can employ selective forwarding. The nature of sensor networks where all 
the traffic flows towards one (or few) sink node makes this type of attacks highly relevant. 

Defensive measures 

One approach to avoid sinkholes is to use routing protocols |35| that verify the bidirectional reliability of 
a route with end-to-end acknowledgments which contain latency and quality information. 

• Wormhole attacks 

In a wormhole attack as defined in [35j . an attacker receives packets at one point in the network and 
tunnels them to another point in the network via an out-of-band connection (Fig. [5]). The wormhole 



RR n° 7230 



12 



O. Erdene-Ochir, M. Minier, F. Valois and A. Kountouris 




Figure 6: Sinkhole attack. 

attack is particularly dangerous against routing protocols. An adversary situated close to the sink node 
may be able to completely disrupt routing by creating a well placed wormhole. 

Defensive measures 

Wormhole attacks are very difficult to detect, especially when combined with a Sinkhole attack. A 
wormhole detection mechanism, called packet leashes, is introduced in |27j and is based on distance 
estimation; it consists in two mechanisms: geographical leashes and temporal leashes. The main idea 
of both mechanisms is to add some information to the packets that restricts their maximum allowed 
transmission distance. A geographical leash ensures that the recipient of the packet is within a certain 
distance from the sender. A temporal leash ensures that the packet has an upper bound on its lifetime, 
which restricts the maximum travel distance, since the packet can travel at most at the speed of light. 
Either type of leash can prevent the wormhole attack, because it allows the receiver of a packet to detect 
if the packet traveled further than the leash allows. However, both geographical and temporal leashes 
require authentication and integrity otherwise an adversary can modify or forge them altering distance 
information. The main disadvantage of geographical leash is that requires the nodes to be equipped with 
GPS or to be able to determine their location in some other way. The main disadvantage of time leash 
mechanism is that it requires extremely tight time synchronization, which might not possible to achieve 
in some environment. 

Another technique to defend against wormhole attacks consists in using directional antennas [2B]. The 
main idea is that when two nodes are within each other's communication range, they must hear each other's 
transmission from opposite directions. Directional antennas are less expensive than many mechanisms 
proposed for localization including more efficient use of energy and better spatial use of bandwidth. 
However, use of directional antennas cannot be afforded in many applications. Another disadvantage is 
that a link can be lost as the probability of losing links depends on the density of the network. Moreover, 
this method allows detecting only a single wormhole attack. 

In [57], the authors use neighborhood information to detect wormhole attacks. The main idea is that if 
two nodes are declared as 1-hop neighbors and if the network is sufficiently dense, these two particular 
nodes must have some common 1-hop neighbors whereas it is not the case if the corresponding link is a 
wormhole. 

• Hello flood attacks 

Many routing algorithms use hello packets for neighborhood discovery. In the hello flood attack described 
in [35] , the attacker tries to convince all nodes to choose it as a parent using a powerful radio transmitter 
to bomb the whole network with hello messages announcing false neighbor status. So legitimate nodes 
will attempt transmission to the attacking node despite many of them being out of range. 

Defensive measures 

If the attacker has the same reception capabilities, one way to avoid the hello flood attacks is to verify 
the bi-directionality of local links |35) . If not, authentication is a solution for nodes to verify the identity 
of their neighbors. 
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Figure 7: Wormhole attack. 

2.1.6 Application layer 

• Data aggregation 

Data aggregation can greatly help to reduce energy consumption by eliminating redundant data in WSNs. 
The aggregator nodes collect data using suitable aggregation functions [69] and then transmit the aggre- 
gated result to an upper aggregator or to the sink node. 

The aggregators are vulnerable to attacks especially they are not equipped with tamper resistant hardware. 
Once a single node is compromised, it is easy for an adversary to inject false data into the network and 
mislead the aggregator to accept false readings. 

Defensive measures 

Numerous techniques proposed in the literature to secure data aggregation. This techniques summarized 
in [70], [SJ and more recently |74| . 

Against node compromise, in |25| the authors propose a method where sensors measurements are forwarded 
unchanged and then aggregated at the second hop instead of aggregating at the immediate next hop. 

This method is improved in [33] by using one-hop and two-hop pairwise key instead of /^TESLA. A secure 
hop by hop data aggregation is proposed in |81] that can tolerate more than one compromised node. 

A stealthy attack is discussed in the literature, where an adversary provides false aggregation results 
without revealing its presence. A framework called aggregate-commit-prove is proposed in |23) . This 
framework is extended in |13] to fully distributed network model instead of the single aggregator model. 

A mathematical framework based on statistical estimation theory and robust statistics to quantify the 
resiliency of aggregation functions against malicious data is presented in [69J . The paper claims that some 
aggregation operators such as average, sum, minimum and maximum are inherently insecure. They showed 
that the median is a more robust alternative for averaging data. The authors argued that trimming and 
truncation can be used to strengthen the security of many aggregation primitives by eliminating possible 
outliers, thus, providing inherent robustness against attacks. However, this approach ignores the structure 
of the network and focus only on the aggregation function at the base station. Moreover, this method can 
falsify some results by elimination of outliers for some applications such as monitoring bush-fire where 
outliers carry the useful information. A statistical en-route filtering mechanism is presented in |82] to 
detect and drop false reports during the forwarding process. 

Other methods such as a witness based data aggregation, proposed in [55], assures the validation of the 
data sent. In |42| improved data integrity is achieved by signing the aggregated data. A dynamic en- 
route-filtering scheme for false data injection attacks is proposed in [33]. Sanli, et al. (2004) developed a 
new approach, called secure reference based data aggregation, in which sensors send only the difference 
between sensed data and reference values instead of the raw data. 
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During the last few years homomorphic encryption schemes have been studied extensively. An homomor- 
phic cryptosystem is a cryptosystem that allows direct computation on encrypted data by using an efficient 
system [5]. It can be used in secure aggregation to provide the end to end privacy needed. The protocol 
called concealed data aggregation is proposed in |17j and uses an additive and multiplicative homomorphic 
encryption scheme. Their work, based on the privacy homomorphism (PH) proposed in [20] . allows direct 
computation on encrypted data. The authors argue that the security level is still reasonable and PH helps 
to implement encryption in WSN, although Wagner (2003) proved that PH is insecure against chosen 
plain text attacks. A new secure data based on homomorphic encryption is proposed in [11 . It uses a 
modular addition instead of the xor operation that is found in stream ciphers. Thus, even if an aggregator 
is being compromised, original messages can not be obtained by an attacker. 

2.2 Network layer security 

An adversary can interfere with the network layer in two ways; from the outside and from the inside of the 
network. We can state numerous external attacks such as eavesdropping, injecting replayed or fabricated 
messages. The basic security requirements such as integrity, confidentiality, non-repudiation and authenticity 
can be ensured by usual cryptographic protections. 

2.2.1 Security associations (Key management) 

Cryptography is the basic encryption method used in implementing security. In WSNs, the asymmetric cryptog- 
raphy is considered expensive for individual nodes in terms of computing power, memory used and consumption 
of energy. Asymmetric cryptography consists in maintaining two keys one of which is made public and the 
other is kept private. The main techniques used to implement asymmetric cryptosystems are RSA and Elliptic 
Curve Cryptography (ECC). For the same level of protection key length used in ECC can be as small as 163 
bits rather than the 1024 bits required in RSA |70| . 

Symmetric cryptography is considered as a typical choice for WSN applications. It uses a single shared 
key known only between communicating nodes. This shared key is used for both encryption and decryption of 
messages. 

Some approaches adopt both asymmetric and symmetric cryptographic schemes to reduce the overheads. 
An "end-middle-end" security framework is proposed in |32j . and consists in using a lightweight asymmetric 
cryptography scheme. They exploit the heterogeneity of sensors by introducing rich gateway nodes with public 
key cryptography to compute digital signatures. Therefore, the regular nodes can use a symmetric cryptography 
until a gateway is reached. 

The major symmetric cryptography difficulties in the presence of compromised sensor nodes are key distri- 
bution and tamper resistance. Key distribution protocols can be distinguished into two kinds of approaches; 
centralized and distributed: 

• A centralized key management scheme consists in having only one central point called KDC (Key Distri- 
bution Center) to ensure creation and distribution of keys. 

• Distributed key management schemes do not have a centralized entity for creation and distribution of 
keys. In this approach we can list different methods such as deterministic, probabilistic, localization and 
i-secure protocols [SB]. In t-secure protocols an adversary has to compromise at least t+1 nodes to find a 
used key. In |86) . the authors propose to use semi-symmetric, t-degree Polynomial property by introducing 
a new variant. This protocol is t-secure and the new variant guaranties authentication of identity and 
consolidates security. 

Another novel approach discussed in [5J, is to couple the physical layer with key generation algorithms. 
This coupling is based on the wireless communication phenomenon known as the principle of reciprocity 
of the wireless channel. Fading graphs can be used to generate cryptographic keys, and the non-stationary 
characteristics of a wireless channel can be used to extract enough entropy to obtain cryptographically 
secure keys. Hence, this method is more suitable for indoor applications. It is virtually impossible for a 
third party, which is not located at one of the transceiver's position, to obtain or predict the exact signal 
envelop. In this case, the radio communication can be considered as an advantage. 

An adversary when he gains access to the network becomes even more dangerous. Since nodes are usually 
not well protected physically, they can be captured and compromised allowing an adversary to extract sensitive 
information such as encryption keys, identity, address etc. In this case, the major functions of the network layer 
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such as: naming-addressing, neighborhood discovery and routing, become targets of internal attacks such as 
Sybil, node replication or Black-Grey- Worm-Sink holes as described in 12.1.51 

2.2.2 Naming and addressing 

Sensor nodes depend on naming and addressing for the routing protocol to be able to convey traffic to them. A 
naming or addressing scheme usually requires that each node be assigned a unique name or address, in order to 
avoid ambiguities. An insider adversary can try to break this principle by cheating on the identities. In Sybil 
attacks an adversary assigns different identities to the same node whereas in node replication attacks several 
adversary nodes may share the same identity. 

2.2.3 Neighborhood discovery 

In many WSN protocols sensor nodes must be aware of their neighborhood to know other nodes they can com- 
municate with. The neighborhood discovery protocol, sometimes also called "Hello protocol", nodes broadcast 
the "Hello message" in order to be discovered by their neighbors. An outsider attacker can perform a jamming 
attack to prevent two nodes from establishing a neighborhood relationship. In addition, an insider adversary 
can disrupt the neighborhood discovery by introducing false HELLO packets or by not respecting the timing of 
periodic sends to disrupt the stability of the neighborhood. 

2.2.4 Secure routing 

WSNs use multi-hop communication to increase network capacity and save overall energy (increasing thus 
the network lifetime) and to reduce interference between nodes. In multi-hop routing, messages may traverse 
many hops before reaching their destinations. Simple sensor nodes are usually not well physically protected 
because they are cheap and can be deployed in open or hostile environments where they can be easily captured 
and compromised (e.g. by an adversary that can extract sensitive information). After node compromise, an 
adversary gains access to the network and can produce malicious activities. Such attacks may have severe 
consequences; they may allow the adversary to corrupt network data or even disconnect significant parts of the 
network. 

We focus here on attacks that appear in the network after node capture. Other attacks such as jamming, 
exhaustion, collisions, link layer jamming or attacks against data aggregation can be produced in WSNs, however 
they target essentially the physical, link or application layers. Attacks at the network layer are summarized in 
|35) as follows: (a) spoofed, altered or replayed routing information; (b) selective forwarding, node replication, 
Sybil attacks or Black-Grey-Sink holes and HELLO flooding. 

The attacks which are within the scope of the present work correspond to those in the second list. These 
are general attacks which can be performed in any routing protocol. However, numerous attacks target vul- 
nerabilities due to the behavior of a specific protocol. In [72], Wood et al. underline the necessity to protect 
protocols at design time. They explained how an adversary can exploit the protocols vulnerabilities to perform 
efficient DoS attacks. An adversary can exploit reasonable approaches for power conservation and efficiency, 
which make protocol behavior deterministic and predictable and thus vulnerable to attacks. 

There are some other attacks against specific routing techniques such as rushing attacks, which target on- 
demand routing protocols, attacks that disrupt route discovery process, location disclosure attacks which target 
geographic routing protocols, attacks against virtual coordinates and so on. 

Numerous approaches exist to secure routing protocols. 

• Cryptographic approaches 

Here, we elaborate on techniques based on cryptographic approaches to defend against attacks at the 
routing layer by introducing special secure routing algorithms. 

SRP, ARIADNE, ARAN are proposed to defend against attacks for on-demand routing. The SRP (Secure 
Routing Protocol), citeHaas02, combats attacks that disrupt the route discovery process and guarantees 
the acquisition of correct topological information. SRP allows the initiator of a route discovery to detect 
and discard bogus replies. However, SRP is not immune against wormhole attacks, and colluding malicious 
nodes can misroute the routing packets. 

ARIADNE [35J is a secure ad-hoc routing protocol based on DSR, which guarantees that the target 
node of route discovery process can authenticate the initiator and the initiator can authenticate each 



RR n° 7230 



16 



O. Erdene-Ochir, M. Minier, F. Valois and A. Kountouris 



intermediate node on the path to the destination. ARIADNE provides point-to-point authentication of 
a routing message using message authentication codes (MAC) and shared keys between the two parties. 
The authentication of broadcast packet such as RREQ, ARIADNE is based on the TESLA broadcast 
authentication protocol. 

ARAN HD] is a secure on demand routing protocol that detects and protects against malicious actions 
carried out by third parties. ARAN introduces authentication, integrity and non-repudiation by using a 
trusted certificate server. The goal of ARAN is to allow verifying that an intended destination was reached. 
However, using asymmetric cryptography makes ARAN very costly in term of energy consumption and 
computation power, hence not suitable for WSNs. 

SEAD [53] is a secure proactive routing protocol based on the DSDV (Destination Sequenced Distance 
Vector) protocol. The basic idea of SEAD is to authenticate the sequence number and metric of a 
routing update message using one-way hash chains. Moreover, the receiver of SEAD routing information 
authenticates the sender, ensuring that the routing information originates from the correct node. Authors 
propose to use TESLA for broadcast authentication or to use MAC assuming shared keys between each 
couple of nodes in the network. However, SEAD doesn't cope with wormhole attacks. 

SPINS, proposed in [55], is composed by two protocols /iTESLA and SNEP. //TESLA introduces asymme- 
try through delayed disclosure of symmetric keys resulting in an efficient broadcast authentication scheme 
adapted in WSNs. SNEP provides data confidentiality, two-party data authentication and data freshness. 
The main goal of SNEP is to protect communication between base station and sensors or between two 
sensors in the network. SNEP requires a symmetric key initially shared between nodes and base stations. 
This shared key allows each sensor to deduct the encryption and authentication keys. SNEP proposes to 
use a counter shared between nodes and base station to guarantee data freshness. 

In |67) . nodes are divided into different levels depending on the energy consumption and reliability. Low- 
level nodes have the role to sense and upper-level nodes are responsible for routing and aggregating data. 
They propose to use symmetric key based on group key management, where every node contributes its 
partial key to compute the group key. 

• Reputation based schemes 

The basic idea of a reputation based scheme is to choose the nodes with good reputation for constructing 
routing paths. Wachdog and PathratherjH] are discussed as a trust-based routing scheme. Watchdog 
allows identifying misbehaving nodes and Pathrather helps to avoid these nodes. Other methods such as 
Virtual currency, Nuglets, and Sprite are based on the compensation of good contributing nodes by micro 
credits. Nodes receive virtual payment for forwarding a message and this payment is deducted from the 
sender. However, such reputation based scheme are mainly designed for Ad-hoc networks and they don't 
take into account colluding malicious nodes. 

• Multi-path routing 

Multi-path schemes provide more reliable routing, though they introduce more communication overhead. 
Some multi-path routing techniques are discussed in the literature in order to resist against node failures. 
Examples are the disjoint multipath and braided multi-path techniques |22) . Another technique described 
in |37| is to repair broken links by utilizing location information. These techniques can be adapted to secure 
routing against compromised nodes. [59] shows that multi-path routing protocols have better end-to-end 
packet delivery than single path routing, but as expected they consume much more energy. 

3 Our approach 
3.1 Motivation 

Node compromise is the major problem of security in WSNs, since it allows an adversary to enter inside the 
perimeter of security, by extracting sensitive information such as encryption keys, identities, addresses etc. 
After node compromise, the attackers can produce internal attacks such as Sybil attacks, node replication or 
Black-Grey- Worm-Sink holes. 

As described in 12.2.41 numerous approaches exist to secure WSNs routing protocols. Most of the existing 
mechanisms are based essentially on cryptographic primitives [511128. 60, 55], reputation based schemes |44[|4l)] 
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or use specialized hardware |26l 127). However, these mechanisms do not protect against all attacks and are 
most of the time inefficient when node compromise is considered. Furthermore, reputation based schemes are 
specific to selective forwarding attacks. Finally, solutions that use specialized hardware are specific to Wormhole 
attacks. 

The literature is rather scarce, |59| . in analyzing inherent security of routing protocols which though not 
initially designed for security, may possess inherent resiliency against internal attacks. [59] shows that multi- 
path routing protocols have better end-to-end packet delivery than single path routing, but they consume much 
more energy. However, they do not take into account routing functionalities, such as route discovery, route 
maintaining, neighborhood discovery etc. and they focused only on the multipath aspect. With the aim to 
contribute in this direction, in the next subsection our definition of resiliency is given. 

3.2 Definition of resiliency 

According to Webster [T] , in mechanics resiliency is the capability of a strained body to recover its size and shape 
after deformation caused especially by compressive stress. In a broader context Webster also defines resiliency 
as an ability to recover from or adjust easily to misfortune or change. Hinging upon the general dictionary 
definition and after reviewing the multiple definitions of resiliency and other close notions in networking, we felt 
the need to define it more precisely. In our case, with the security of routing functionalities in mind, we define 
the resiliency as follows: 

Definition 1 (Resiliency) Resiliency is the ability of a network to continue to operate in presence of k com- 
promised nodes, i.e. the capacity of a network to endure and overcome internal attacks. 

More precisely, it means to achieve a graceful degradation in a packet delivery rate with increasing number 
of compromised nodes. In the literature, several conceptually similar properties such as survivability |21| , 
robustness (55] and resiliency [SHI H21 EH] > have been discussed. 

The main definition of survivability in information systems is defined in |21) as the ability of the network 
computing system to provide essential services in the presence of attacks and/or failures, and recover full service 
in a timely manner. Survivability is conceptually similar to resiliency, but from our standpoint, this definition 
is not precise enough . The main differences between survivability compared to our definition of resiliency are 
that we insist on the internal attacks when some portion of legitimate nodes is compromised, and we emphasize 
the network's capacity to endure and overcome these internal attacks. 

In [39] , the authors discuss the survivability by connecting it with intrusion tolerance [18] . The authors claim 
that survivability should be reached by use of preventive, reactive and tolerant approaches operating together. 
However, this view of survivability corresponds to general security issues, and it is not in the direction that we 
aim to contribute, i.e. "beyond cryptography" approaches. 

Robustness is defined in |62j as the requirement to accommodate hardware and software failures, asymmetric 
and unidirectional links, or limited range of wireless communication. It includes the need for the networks to 
survive specific types of device overrun (physical seizure), network fragmentation and denial-of-service attacks. 
The definition of robustness is mainly focused on the failures of the system and does not reflect the network 
which endures and overcomes the shock caused by internal intruders. 

Other definitions of resiliency were used in several contexts such as data aggregation [69], route failures 
|22| . key distribution and management [35]. According to [S5] an aggregation function / is (fc; a)-resilient 
(with respect to a parameterized distribution p(Xi\6)) if rms* (/; k) < a x rms(f) for the estimator /. The 
rms*(f; k) denotes the root- mean-square error of the most powerful fc-node attack possible. Roughly speaking, 
an aggregation function / is (k, a)-resilient if, for small values of a, it can be computed meaningfully and 
securely in the presence of up to k compromised nodes. This definition is conceptually very close to ours. As 
|69) compares the resiliency of aggregation functions, our aim is to compare the resiliency of routing protocols. 
In [22] it is argued that the resiliency of a scheme measures the likelihood that, when the shortest path has 
failed, an alternate path is available between source and sink. This definition focuses on the resiliency of route 
failures and it does not specifically deal with security issues. Finally, in |38| resiliency is defined with respect 
to cryptographic primitives, which are out of scope of this report. 

3.3 Network assumptions and Adversary models 

In this section we explain the node compromise distribution models and the implemented adversary models. We 
deal with the security of routing protocols in WSNs and we do not deal with usual cryptographic protections 
for integrity, confidentiality, authentication and non-repudiation. 
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3.3.1 Network assumptions 

We consider physically identical sensor nodes and they have the same transmission range. We consider one data 
collector, called "sink". The sensor nodes are densely deployed in a region of size N x N to collect and transmit 
data of the physical world to the "sink". We define the following traditional assumptions: 

• the "sink" is considered robust, having enough resources in terms of memory, computational power and 
battery to support the cryptographic and routing requirements of WSNs. Thus, adversaries cannot com- 
promise the sink in limited time. 

• the "sensor node" has limited resources in terms of memory, computational power and battery. We assume 
that sensor nodes are non trustworthy since they are vulnerable to physical attacks and an adversary can 
compromise them. 

A connected graph as the physical topology of the network is considered. The packets are routed from the 
source to the destination on this physical topology. A fixed radius random graph, which is a common and 
practical graph model proposed for modeling WSNs, is used. Let us consider a graph G(Cl,E) where fi is a set 
of nodes wirelessly connected pairwise by a set E of undirected edges representing communication links between 
nodes. In this model, the nodes are randomly placed in a N X N region according to a uniform distribution. 
A link exists between two nodes i and j if the Euclidean distance between these two nodes is less than the 
communication range. We assume that the wireless links in our graph are bi-directional, i.e. if node i hears 
node j then node j also hears node i. 

3.3.2 Adversaries Definitions 

In this section some definitions, described in [7], concerning attacks are presented. An attack is an intentional 
act by which an entity attempts to evade security services and violate the security policy of a system. That is, 
an actual assault on system security that derives from an intelligent threat. 
Attacks can be characterized according the adversaries capacities: 

• a "laptop class attacker" may have access to powerful devices with more computational resources, such 
as laptops or their equivalent. A single laptop-class attacker might be able to eavesdrop and to jam the 
entire network. 

• an "mote class attacker" has access to a few motes with the same capabilities as other ordinary sensor 
nodes. They have no resource advantages over legitimate nodes. 

Attacks can be characterized according to intent: 

• a "passive attack" attempts to learn or make use of information from a system but does not affect system 
resources. For example, a passive eavesdropping that gathers information can compromise the privacy 
and confidentiality. 

• an "active attack" attempts to alter system resources or affects system operations. Compared to passive 
attack, the goal of the active attacker is to produce DoS attacks, to disrupt communication by destroying 
links, to exhaust available resources such as bandwidth or energy etc. 

Attacks can also be characterized according to point of initiation: 

• an "outsider attack" is initiated from outside the security perimeter, by an unauthorized or illegitimate 
user of the system (an "outsider"). Numerous external attacks such as jamming, eavesdropping, injecting 
replayed or fabricated messages can be stated. 

• an "insider attack" is one that is initiated by an entity inside the security perimeter (an "insider") , i.e. an 
entity that is authorized to access system resources but uses them in a way not approved by the party 
that granted the authorization. Selective forwarding, Sybil attacks or Black-Grey- Worm-Sink hole attacks 
can be mentioned. 

In our model, the "mote-class" attackers are considered, where ordinary sensor nodes can be captured and 
compromised by an adversary. We deal with an "insider" adversary who is "active". In Section 14.11 the attacks 
which have been considered for simulations are described in detail. 
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3.4 WSN routing protocols 

WSNs share some common points with Ad-hoc networks such as lack of infrastructure, decentralized architec- 
ture, self-organized and self-configured, radio communication. Thus, Ad-hoc routing techniques greatly inspire 
WSNs. However, due to specific characteristics (convergecast traffic profile, strong energy constraint, large 
number of nodes, high node density) some Ad-hoc routing techniques are not suitable for WSNs. 

3.4.1 Classification 

We propose a classification of routing protocols in WSNs into four groups; flooding based routing, probabilistic 
routing, location based routing and hierarchical routing (Fig. [5]). 
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Figure 8: Classification of routing protocols in WSNs. 



• Flooding based routing 

In flooding, a sensor node sends packets to all its neighbors, and neighbor nodes forward them to their 
neighbors until all nodes are reached. With an ideal MAC layer all nodes can be reached, but in realistic 
conditions many collisions will occur and there are usually lots of retransmissions, redundancy and packet 
loss. The common point of the protocols in the flooding category is using a flooding mechanism to discover 
routes, or to maintain topological information or to setup a gradient metric. 

• Probabilistic routing 

Protocols in this category choose the next hop using a dynamically assigned probability or random choice. 
In the gossiping protocol, a sensor sends packets to a randomly selected neighbor which does the same until 
destination reached or packet time-to-live expires (TTL = 0) . Gossiping nodes may forward packets back 
to the sender creating potential inefficiencies and delay problems. The common point of these protocols 
is the use of some random choice which makes their behavior non deterministic. 

• Location based routing 

The common point of the protocols in this category is to use for routing purposes some information 
about geographical location. Each node has to know the destination node's geographical location, its own 
location and the location of all its neighbors 
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• Hierarchical routing 

In this category, routing is based on hierarchy of nodes; some nodes can be physically different. Sensor 
nodes can have different roles such as simple sensors or leader nodes. Leader nodes can have some special 
responsibilities such as data aggregation, data fusion, routing whereas simple nodes just sense and transmit 
data to leader nodes. 

3.4.2 Protocols Under Study 

To compare the behavior of different routing protocols, under different adversary models, we have selected four 
routing protocol candidates covering three of the four categories: Dynamic Source Routing (Flooding) , Gradient- 
Based Routing (Flooding), Greedy Forwarding (Geographical) and Random Walk Routing (Probabilistic). 

• Dynamic Source Routing (DSR) 

DSR [32] is a flooding based routing protocol, which uses three types of packets: RREQ, RREP and DATA 
packets. The RERR packet type is not considered in this report. The source node floods a RREQ packet 
in order to discover routes toward an intended destination (Fig. I9"aj) . Full source-routes are aggregated 
in the RREQs, and are sent back to the source in RREPs by the sink (Fig. I9b|) . Once, the source node 
has received an RREP packet, it updates its routing table and then uses this information to send DATA 
packets to the sink (Fig. [5c|). The route discovery process is provided here only the first time when a 
source node needs to send a DATA packet to the sink. 




(a) (b) (c) 



Figure 9: Dynamic Source Routing, (a) Route request phase, (b) Route reply phase, (c) Data dissemination. 

• Gradient-Based Routing (GBR) 

GBR g3] is a flooding based routing protocol which uses two types of packets: INTEREST and DATA 
packets. The sink floods an INTEREST packet in order to setup a gradient (Fig. HQa|) . The INTEREST 
packet records the number of hops taken from the sink. Then a node can discover its minimum number of 
hops from the sink, called the node "height". The height difference between a node and one of its neighbors 
is the gradient on that link. The gradient setup process is provided here only once at the beginning of the 
simulation. Then nodes send their DATA packets to one of their minimum gradient neighbors and their 
neighbors do the same until the sink is reached (Fig. II0b|) . 

• Greedy forwarding (GF) 

Greedy forwarding [25] is a geographical routing protocol, which uses two types of packets: DATA and 
HELLO packets. Each node knows its own location and the location of the sink. Each node broadcasts 
HELLO packets with its identity and location information. All neighbors who receive HELLO packets 
update their neighborhood table. Each node forwards DATA packets to the neighbor geographically 
closest to the destination, thus achieving the maximum progress toward the destination (Fig. If I p . Here 
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Figure 10: Gradient-Based Routing, (a) Gradient setup phase, (b) Data dissemination. 

the basic greedy forwarding, without any hole bypassing mechanism, is considered since we use densely 
and uniformly deployed topologies without holes. 



DATA 



Figure 11: Greedy forwarding. Data dissemination. 
Random Walk Routing (RWR) 

RWR H>T] is a probabilistic routing protocol, which uses two types of packets: DATA and HELLO packets. 
A very simple random walk routing protocol is considered. First, each node broadcasts a HELLO packet 
with its identity. All neighbors who receive a HELLO packet update their neighborhood tables. Each 
node sends DATA packets to a randomly selected neighbor, who does the same until the destination is 
reached or the TTL of the packet expires (Fig. [T2l) . Note that RWR can yield routing loops. 

DATA 
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Figure 12: Random Walk Routing. Data dissemination. 
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4 Simulations results 

In this section the simulation setup along with our basic assumptions are stated first in order to subsequently 
present the obtained simulation results and their analysis. 

Simulations were performed using the WSNet |24| . which is an event-driven simulator for wireless networks. 
In the rest of this report, we assume a unique trustworthy sink and untrustworthy sensor nodes since they are 
vulnerable to physical attacks and can be compromised. 

4.1 Implemented Attacks 

In multi-hop routing, packets may traverse many hops before reaching their destination. The attack which is 
common to all protocols is DATA packet oriented selective forwarding. According to information used by each 
protocol, protocol specific attacks such as HELLO and CONTROL packet oriented attacks are also considered. 

In the DATA packet selective forwarding attack, malicious nodes simply drop certain messages instead of 
forwarding all of them. We focus our simulations on two particular scenarios based on selective forwarding for 
two models for compromised node distribution: a uniform distribution across the whole network area (Scenario 
1) and within a smaller area around the sink (Scenario 2). 

In the HELLO packet oriented attack, malicious nodes lie about their identities by claiming illegitimately 
multiple identities (Sybil). In our case, this attack is considered for RWR and GF, which use HELLO packets in 
order to establish neighborhood relationship (Scenario 3). GBR and DSR use flooding mechanism to establish 
their routes and thus are immune to this attack. 

In CONTROL packet oriented attack, malicious nodes introduce false control packets to attract more traffic 
in order to either exploit them for own needs and/or to drop them with the intention to disrupt efficiently the 
delivery of data. We considered this attack for DSR and GBR (Scenario 4). 

Scenario 1: DATA packet oriented selective forwarding attack with uniformly distributed 
compromised nodes across the whole network area. In this model, we suppose that an adversary has no 
information about the location of the sink leading to compromised nodes distributed at random positions. Thus, 
k compromised nodes (10% to 50% of node population) are randomly and uniformly distributed on a N x N 
square field. An example is given in Fig. [T3] where compromised nodes are shown in red. These malicious nodes 
drop all DATA packets coming from their neighbors (forwarding probability pt =0). However, they generate 
and send their own DATA packets to the sink. 



Scenario 2: DATA packet oriented selective forwarding attack with uniformly distributed 
compromised nodes around the sink (Sinkhole). In this model, we suppose that an adversary has some 




Figure 13: Uniformly distributed across the whole network. 
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information about the location of the sink and he tries to compromise nodes close to the sink. Thus, a square 
of size M x M is defined around the sink, which is 1/4 of TV x TV, and k compromised nodes are randomly 
distributed in it as shown in Fig. 1141 The compromised nodes (shown in red) behave as described in scenario 1. 




Figure 14: Uniformly distributed around the sink. 

Scenario 3: HELLO packet oriented attack with uniformly distributed compromised nodes 
across the whole network area. In this model, k compromised nodes are randomly and uniformly distributed 
on a TV x TV square field as given in Fig. (T3] In our case, all protocols send periodically HELLO packets to 
establish neighborhood relationships. Compromised nodes lie about their identities by claiming illegitimately 
multiple identities (Sybil). 

In this adversary model, malicious nodes introduce false HELLO packets by producing a new identity for 
each sent. A HELLO packet is sent every 3 seconds. Every node purges its neighborhood table every 7.5 seconds. 
For each periodic sent of HELLO packet, the compromised nodes choose a new identity in the interval [0,TV], 
where TV is the total number of nodes. The new identity is different from its real identity and the identity of its 
direct neighbors. We refer to a malicious device's additional identities as Sybil nodes. According to Sybil attack 
taxonomy |49) , our model corresponds to "direct communication" where Sybil nodes communicate directly with 
legitimate nodes, "fabricated identities" where an attacker can simply create arbitrary new Sybil identities and 
"non-simultaneous" form where an attacker might present a large number of identities over a period of time, 
while only acting with a smaller number of identities at any given time. 

Scenario 4: CONTROL packet oriented attacks with uniformly distributed compromised nodes 
across the whole network area. In this model, k compromised nodes are randomly and uniformly distributed 
on a TV x TV square field as given in Fig. [13] Compromised nodes introduce false CONTROL packets to attract 
more traffic. 

These attacks are applicable to protocols using CONTROL packets (RREQ, RREP, INTEREST etc.). In 
our case, we considered false RREP packets for DSR and false INTEREST packets for GBR. We do not consider 
false RREQ packets in DSR, because for malicious nodes there is no interest. In GBR, when the sink node 
floods INTEREST packet in order to setup gradients, compromised nodes modify the number of hops which 
results in claiming to be nodes with better gradient values. In DSR, when a source node floods a RREQ packet, 
to discover a route to the sink node, compromised nodes intercept the RREQ packet and send a false RREP 
packet with a false path. In both cases, a malicious node claims to be a node which is a direct neighbor of the 
sink. 
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Parameter 


Value 


Number of nodes 
Area size 

Transmission range 
Topology 
Traffic generation 
Number of runs 
Simulation time 


300 
fOO x 100m 
20m 

uniformly distributed 
Poisson distribution A = lp/s 
100 
100s 



Table 1: Summary of the simulation parameters. 



4.2 Simulation Assumptions and Environment 

300 sensor nodes are randomly and uniformly distributed over a square field of 100m x 100m. A unique sink is 
assumed at the center of the field. The deployed nodes have fixed positions during each simulation. The radio 
range is 20m resulting in an average degree per node of 31. The time to live (TTL) of each packet is fixed to 
32 hops. 

WSNet gives the possibility to define radio propagation and interfaces to a great level of detail. However, for 
our purposes on focusing on routing aspects and consider only the impact of the defined attacks on routing, we 
configure WSNet for an ideal physical/mac layers (e.g. no interference, no path-loss, omni-directional antennas 
and no collisions). 

Traffic is generated using a Poisson model. Hence, the packet inter-arrival time follows an exponential 
distribution with parameter A, about lpacket / sec per node. The simulation time is 100 seconds, and the total 
number of generated packets is about 30000. The simulations are averaged over 100 trials for each adversary 
model and for each protocol with a 95% confidence interval. Table [T] summarizes the simulation parameters. 

4.3 Evaluation Metrics 

The main responsibility of the routing layer is to ensure reliability of the network. Reliable delivery of data 
characterizes the success of routing protocols. To gain insight concerning the WSN routing resiliency, as defined 
in Definition [TJ the following three evaluation metrics are used: 

• Average delivery ratio: Delivery ratio = total number of received packets by the sink / total number of 
sent packets by the sensors. This is the most important metric in order to evaluate the success of routing 
functionality and the reliability of the network. Without any attacks and without any interferences and 
collisions, all DATA packets are received successfully by the sink and the delivery ratio is 1. The delivery 
ratio for the four chosen routing protocols is measured for the two scenarios by varying the number of 
compromised nodes. 

• Average degree of nodes: Degree of nodes = number of neighbors for each node. The average degree 
for each node is measured in order to detect neighborhood abnormalities. 

• Average path length: Path length = number of hops crossed for each received packet. This metric allows 
us to determine the number of forwarding nodes on a route. 

4.4 Results and Analyses 

Scenario 1, Results and Analyses 

Fig. I15al shows the average delivery ratio of the four chosen routing protocols (DSR, GBR, GF, RWR) 
for Scenario 1. As expected the average delivery ratio decreases, when the percentage of compromised nodes 
increases. GBR, DSR and GF have similar results, whereas, RWR is worst in successful packet delivery. The 
difference between RWR and the other protocols is due to the method of route choice: RWR will not privilege 
automatically the shorter paths since each node sends DATA packets to a randomly selected neighbor. Hence, 
DATA packets can take long routes. 

Fig. I15bl shows the average path length of the four routing protocols for Scenario 1. RWR has much longer 
path length than others. The path length is inversely proportional to the average delivery ratio. When the path 
length is high, the number of forwarding nodes is high. Thus, the probability to meet malicious forwarding nodes 
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Figure 15: Scenario 1. (a) Average delivery ratio, (b) Average path length. 
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Figure 16: Scenario 2. (a) Average delivery ratio, (b) Average path length. 



increases. Moreover, we observe that the path length of RWR decreases, when the percentage of compromised 
nodes increases. Hence, received DATA packets come mainly from the sensor nodes which are the closest to 
the sink. This fact can be explained as follows: if I denotes the path length in number of hops from source to 
destination; p c denotes the probability that a node is compromised and p n is the probability that a packet is 
delivered (i.e. all forwarding nodes on the route are legitimate), we havep„ = (1 — p c ) 1 . The probability to find 
a "safe" route in RWR exponentially decreases with route length. 

DSR, GBR, GF choose the next hop closest to the destination, thus DATA packets meet most of the time the 
same nodes which are at the center of the field. Here we observe that the shortest path strategy leads to a greater 
delivery ratio: because packets have less probability to meet malicious nodes and only a few number of nodes at 
the center of the field are exploited. However, deterministic route choice could be considered as a bad property 
for resiliency since all packets will be lost if at least one forwarding node on the route is compromised and 
due to the deterministic choice the structural redundancy of physical topology will not be effectively exploited. 
RWR in theory is capable of exploiting the potential connectivity of physical topology but suffers from the route 
length effect. 

Scenario 2, Results and Analyses 
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Fig. II Gal shows the average delivery ratio of the four chosen routing protocols (DSR, GBR, GF, RWR) for 
Scenario 2. Compared to Scenario 1, the distribution of compromised nodes is localized around the sink leading 
to a Sinkhole attack. We observe that the impact of attacks is more important than for Scenario 1. When the 
compromised nodes are close to the sink, they receive for retransmission more packets than other nodes and 
thus attract most of the traffic creating a "donut effect" around the sink. Fig. I16bl shows the average path 
length of the four protocols for Scenario 2. When all nodes around the sink are compromised, the sink receives 
packets only from these malicious nodes. No DATA packets are received by the sink from the legitimate nodes. 
That is why we observe on the Fig. I16bl a path length that tends to 1. 

Scenario 3, Results and Analyses 

Evolution of degree according to routing protocols with attack model: hello-falsa 

— l 1 
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Figure 17: Scenario 3. Average degree of nodes. 
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Fig. [T7] shows the average degree of nodes of GF and RWR for Scenario 3. As expected the average degree 
increases, when the number of compromised nodes increases. We consider N = 300 the total number of network 
nodes. Lets consider 10% of malicious nodes k = 30. 



N — k = 300 — 30 = 270 is the number of legitimate identities. Each malicious node has the time to send 2.5 
false HELLO packets before its neighbors purge their neighborhood tables. The total number of created false 
identities is 30 x 2.5 = 75. Hence, the total number of identities at the network is 270 + 30 x 2.5 = 345 instead 
of 300. As the average degree of nodes without attack is 32, when 10% of nodes are compromised, the average 
degree of nodes is 345 x (32 300), which is near to 37 as observed on the Fig. 1171 

Fig. I18al shows the average delivery ratio of GF and RWR for Scenario 3. The average delivery ratio 
decreases, when the number of compromised nodes increases. For the next hop, GF chooses a neighbor closest 
to the sink and RWR chooses a neighbor randomly. As the neighborhood table is established with HELLO 
packets, when the chosen next hop is a not existing false identity (Sybil node), a DATA packet is lost. GF is 
best in successful packet delivery than RWR due to path length as shown in I18bl (the same reason than with 
Scenario 1). RWR has much longer path than others. 

Scenario 4, Results and Analyses 

Fig. [HI shows the average delivery ratio of GBR for Scenario 4 with false INTEREST packets. The average 
delivery ratio decreases, when the percentage of compromised nodes increases. We observe a deeper impact 
than Scenario 1 as shown on the Fig. I15al Lets consider 10% of malicious nodes which means k = 30. Over 
two-thirds of the traffic is lost with only 10% of compromised nodes. In GBR, the sink floods INTEREST 
packet in order to setup gradient. In GBR, for the next hop, nodes choose a neighbor which has the better 
gradient to forward DATA packets. Malicious nodes improperly modify hop count of the INTEREST packet 
by claiming to be a direct neighbor of the sink. Most of the time, a legitimate node sends DATA packets to a 
malicious node. Once the traffic is attracted by a malicious node, it drops all DATA packets thereby producing 
efficient disruption of DATA delivery. 

Fig. [20] shows the average delivery ratio of DSR for Scenario 4 with false RREP packets. The average 
delivery ratio decreases very quickly, when the number of compromised nodes increases. We observe that the 
impact of attacks is much more important than a simple selective forwarding attacks (Scenario 1 and 2). 
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Evolution of delivery ratio according to routing protocols with attack modal: hollo-false 
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Figure 18: Scenario 3. (a) Average delivery ratio, (b) Average path length. 

Evolution of delivery ratio according to routing protocols with attack model: int-falso 
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Figure 19: Scenario 4. Average delivery ratio of GBR. 



In DSR, a source node discovers a route toward the sink by flooding RREQ packet. When the sink receives 
RREQ packet it sends back a RREP packet to the source node. As RREQ packet is flooded, malicious nodes 
receive also RREQ packets. Then they create a false RREP packet with false path and send it to the source node. 
In most of the time a legitimate node sends DATA packets to a malicious node. Once the traffic is attracted by 
a malicious node, it drops all DATA packets thereby producing efficient disruption of DATA delivery. 

Here, we consider only a few number of compromised nodes (1 to 5) instead of some percentage (10% to 
50%) as considered earlier. Because with 10% of compromised nodes, the sink receives only its direct neighbors' 
DATA packets. Lets consider one malicious node, which means k = 1. The total number of nodes is 300, 
including a sink and 299 source nodes. A single compromised node can impact 197 legitimate nodes over 299 
and attracts all their DATA traffic. Two-thirds of the DATA packets are lost with only one compromised node. 
When k = 2, the first compromised node impacts 109 legitimate nodes and the second one impacts 167. A total 
of 276 legitimate nodes over 299 are impacted with only two compromised nodes. Thus, we observe a significant 
decrease of average delivery ratio when k = 2. 
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Evolution ofdeliv&ry ratio according to routing protocols with attack modal: rrep-false 
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Figure 20: Scenario 4. Average delivery ratio of DSR. 
4.5 Requirements for Resiliency 

Firstly, we can say that more the protocol is statefull and routing depends on state information the more it will 
be vulnerable to attacks targeting this information. For instance, flooding based routing protocols such as DSR, 
GBR are vulnerable to the attacks targeting route discovery process with false CONTROL packets, whereas GF 
and RWR are vulnerable attacks targeting HELLO packets. The impact of CONTROL packet oriented attack 
is much more important than others. Only one compromised node can attract two-thirds of the DATA packets. 
In our point of view, it is important to: 

1. keep WSN routing protocols as stateless as possible to avoid the proliferation of specific attacks and 

2. provide for a degree of random behavior to prevent the adversary from determining which are the best 
nodes to compromise. 

Next, we can distinguish three requirements for resiliency. First, the graph representing WSNs should be 
connected to get the reliability between source and destination. Second, the degree of the nodes must be 
high, which increases the number of candidates for next hop and provides for enough structural redundancy. 
Third, the route must be diversified in order to exploit the structural redundancy of the physical topology while 
balancing the increase of route length. For example, in flooding based routing such as DSR and GBR, the route 
diversity depends on their route maintenance phase. It depends on how often the routes are updated and new 
routes are established. To have better resiliency, we can improve existing deterministic routing protocols such 
as DSR, GBR, GF by introducing some randomness on their behavior or we can design a protocol which choose 
different routes randomly for each packet to send. In any case design for resiliency will have an energy cost 
which is an aspect that needs to be quantified. 

Finally, with scenario 2, we observe that an attack can have greater impact if an adversary captures nodes 
closer to the sink. When an adversary captures all nodes around the sink, it effectively isolates the sink from 
the rest of the network. It is equivalent to say that the sink is compromised, even if it is considered physically 
tamper proof. Hence, it becomes important to keep secret the position of the sink. Another solution is to 
provide for redundant sinks. 

5 Conclusion 

In this report, a preliminary study for WSNs security of the routing layer is presented from the standpoint of 
resiliency to attacks. First, we presented an overview of security issues for WSNs generally and at the network 
layer in particular, including existing attacks and defensive measures. Second, a definition of resiliency for 
routing protocols is defined and compared with other similar notions. Third, a classification of WSN routing 
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protocols is suggested. Finally, we presented simulations and analyses of four particular routing protocols from 
different categories to determine their resiliency against DATA-HELLO-CONTROL packets oriented attacks 
accusing three metrics (average delivery ratio, node degree and path length in number of hops). From those 
analyses, we deduced some requirements at the routing layer to enhance the network resiliency in the face of 
those attacks. 

In the future we intend to give further precision and formality to our definition of resiliency which will 
permit more precise experimentation and in-depth analysis and quantify the energy costs of resiliency. We plan 
to define more eloquent metrics incorporating the energy aspect and further explore the interplay of structural 
(topology) and behavioral (protocol) redundancy in the emergence of resiliency properties. 
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